Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662580 (CVE-2018-14574) - <dev-python/django-1.11.15: Open redirect possibility in CommonMiddleware (CVE-2018-14574)
Summary: <dev-python/django-1.11.15: Open redirect possibility in CommonMiddleware (CV...
Status: RESOLVED FIXED
Alias: CVE-2018-14574
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-01 14:47 UTC by Agostino Sarubbo
Modified: 2018-08-06 21:43 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-1.11.15
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-08-01 14:47:54 UTC
From ${URL} :

Today the Django team issued 1.11.15 and 2.0.8 as part of our security
process. These releases address a security issue, and we encourage all
users to upgrade as soon as possible:

https://www.djangoproject.com/weblog/2018/aug/01/security-releases/

As a reminder, we ask that potential security issues be reported via
private email to security@...ngoproject.com and not via Django's Trac
instance or the django-developers list. Please see
https://www.djangoproject.com/security for further information.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Virgil Dupras gentoo-dev 2018-08-01 15:04:11 UTC
Agostino: I might need advice from a member of the security team here.

Django doesn't track whether a vulnerability affects an unsupported version and django 1.8 isn't supported since april. Thus, I think it's reasonable to think that there are good chances for 1.8 to be affected.

We still have 1.8 in the tree because it has a handful of revdeps. Do you think it's warranted to mask it ant its revdeps as a result of this bug?
Comment 2 Larry the Git Cow gentoo-dev 2018-08-01 17:59:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f13e7efa803147e9f82a01b6f7a6a8193f707e81

commit f13e7efa803147e9f82a01b6f7a6a8193f707e81
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-01 17:53:00 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-01 17:57:17 +0000

    dev-python/django: security bump to 1.11.15 and 2.0.8
    
    Bug: https://bugs.gentoo.org/662580
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 dev-python/django/Manifest                         |   3 +-
 dev-python/django/django-1.11.15.ebuild            | 112 +++++++++++++++++++++
 .../{django-2.0.7.ebuild => django-2.0.8.ebuild}   |   0
 3 files changed, 114 insertions(+), 1 deletion(-)
Comment 3 Virgil Dupras gentoo-dev 2018-08-01 18:02:13 UTC
amd64, x86, please stabilize:

=dev-python/django-1.11.15

Thanks.
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-08-05 01:04:15 UTC
x86 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-08-06 04:26:05 UTC
amd64 stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-08-06 04:28:02 UTC
CVE-2018-14574 (https://nvd.nist.gov/vuln/detail/CVE-2018-14574):
  django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15
  and 2.0.x before 2.0.8 has an Open Redirect.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-08-06 04:29:27 UTC
GLSA vote: no
Comment 8 Larry the Git Cow gentoo-dev 2018-08-06 11:49:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=233e5e7a4367c06286ac946baa468dba3374b783

commit 233e5e7a4367c06286ac946baa468dba3374b783
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-06 11:48:45 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-06 11:48:45 +0000

    dev-python/django: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/662580
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 dev-python/django/Manifest              |   1 -
 dev-python/django/django-1.11.14.ebuild | 112 --------------------------------
 2 files changed, 113 deletions(-)